The work of the Information Commissioner: appointment of a new Commissioner - Justice Committee Contents

Examination of Witnesses (Questions 1-19)


13 JANUARY 2009

  Q1 Chairman: Mr Thomas, Mr Smith, Mr Entwisle, welcome, particularly welcome to Richard Thomas on his last appearance before us in his present capacity. Your intended successor has been named. We will interview said gentlemen in a few weeks' time and the session today will perhaps assist us in that process. I want to invite Mr Michael to start off by exploring some issues around the nature of the job itself, but is there anything you would like to say by way of introduction? You have provided us with a paper which we much appreciate.

  Richard Thomas: I am sad that it is my last occasion before you in this capacity, but thank you very much for inviting me in. I prepared a memorandum which I sent to your Clerk at the end of last week. I hope that is helpful to the Committee in setting out a broad picture of what I see the work of the office to be and the challenges ahead. Thank you very much for the opportunity.

  Q2  Alun Michael: There is one specific question I want to ask but first I think perhaps it would be useful if I could ask you to reflect generally on the role of the Information Commissioner. It has obviously changed during your period. There have been some very interesting events. Could you reflect first on where you see the role of the Information Commissioner being at the point of handover and what you see as the likely developments, either in terms of the way it might be forced by events or what you think, in the light of your experience, ought to be the key role of the Commissioner?

  Richard Thomas: Thank you very much, Mr Michael. When I started the job was called Information Commissioner. It had originally been the Data Protection Registrar and then the Data Protection Commissioner. When I arrived the Freedom of Information Act had changed the title and so perhaps there has always been a bit of a problem in brand recognition and getting people to understand that it is all the same organisation. However, clearly, for me the major challenge was to inherit a data protection organisation which in two years' time was going to be taking on board the freedom of information responsibilities, and so for the four (out of six and a half) years that I have been Commissioner, freedom of information has been live, as it were. That has made, I think, quite fundamental changes to the nature of the organisation. It is summed up in the mission which we have adopted, which is that we are "promoting public access to official information and protecting personal information". Sometimes people say, "Can you do both at once? How can you be concerned with freedom of information, which is all about greater openness, and data protection, which is more about secrecy and confidentiality?". In fact, I think they can be reconciled very easily indeed because one is about official information and one is about protecting personal information. There are some issues around the edges and there are some problems in dovetailing but I think it is absolutely right that the same Commissioner, the same public office, should regulate both areas. They are both about information rights, they are both a body of law which has to be applied in a consistent way, and I think they both involve a certain degree of cultural challenge for the organisations which are being regulated. I would not favour the approach in, say, Canada or the Republic of Ireland, Canada at federal level where there are two separate commissioners. In Australia now they are creating an Information Commissioner to bring the two strands together and that is the modern way forward. So I would argue very strongly that our experience bears out that the two should be in the same organisation. In terms of the challenges ahead, I said in my paper that it is a very lively position. I have been very privileged to lead the Information Commissioner's Office. There is a great team in place there, a very hard-working team. One of the features of the role is the sheer variety of subject matter. Both freedom of information and data protection have this very horizontal impact. Almost all areas of public life and commercial life one way or the other fall within one or both of the statutes, so part of it is always dealing with a very stimulating and wide range of subject matter, often with surprises coming day by day. You never quite know what is coming tomorrow or next week. However, we do have some clear, consistent approaches. I think we have tried very hard on the data protection and the freedom of information side to set out our strategic approach, the principles we adopt and our priorities. I have no doubt that my successor will come in with some fresh thinking, some fresh ideas, and may want to change some of the priorities. But we try to be as clear as possible in what we are trying to do and how we are trying to do it. That has been the approach and I think that probably is in broad terms the approach which is right for any regulatory body. We subscribe strongly to the Better Regulation Principles and I think they have been very helpful in informing our work. I cannot predict exactly what the challenges are going to be. All I can say is that it will be a challenging job and I clearly wish my successor very good fortune in taking the role forward.

  Q3  Alun Michael: You make it sound nearly as interesting and exciting as being a Member of Parliament. The second thing I want to explore you have introduced quite well by referring to "the office", the organisation, and so on. It is the sort of question that one might equally addressed to the Ombudsman, for instance, which is, where is the relationship between the personal responsibility of the Commissioner and the role of the office? I frankly have become increasingly concerned about response statements coming from the Office of the Information Commissioner. I have rather felt that I want to know what the Information Commissioner's answer is, not what the office thinks, because an office response can be anything from the deputy to the head person to the office cleaner putting out a statement. Has there not been a blurring of the personal responsibility of the Commissioner by this increasing anonymity by reference to an office and an organisation?

  Richard Thomas: I understand very clearly the issue that you are raising. It is not easy. I am appointed as an individual, but I am the Information Commissioner and the law says I am a corporation sole. So I am like a company in relation to my statutory responsibilities. I have an office, the Information Commissioner's Office, the staff of which the Commissioner is the employer, which has to deliver the results. Clearly no individual is ever going to be successful unless you can rely upon your team to deliver the results in a clear and consistent way, and that is what we have tried to do. At the same time the individual, the Commissioner, takes ultimate accountability, is ultimately responsible for everything done in his or her name. I take that very seriously. You have to delegate, you have to devolve, you have to trust your staff but you have to give clear signals and messages as to the way you would like to do things. I have tried to adopt a fairly corporate approach. I would not describe it as blurring, which you suggested; I do think it is right to have a corporate approach. One of the best things I did was to appoint a management board. The management board is the executive team, the full-time, senior executive staff, plus four non-executive board members. The statute does not provide for that but I felt it was the right thing to do, and that really gave me a great deal of support in some of the changes I thought right to introduce into the organisation, and more recently setting the overall strategic direction and providing the internal accountability mechanism. Within that we work very hard at the executive team level and with internal communications and external communications to make sure that we give a consistent line to the outside world. So on occasions David Smith, who is my deputy on the data protection side, or Graham Smith, who is my deputy on the freedom of information side, will make public statements. At the end of the day we all take collective responsibility. My name can be there at the end of the day. I sign the annual report and the accounts. I have the ultimate responsibility, but I think it does have to be very much a shared, collegiate approach and that is the style we have tried to adopt.

  Q4  Alun Michael: I would accept that, but, just very briefly, there is a big difference between somebody who is the senior officer making a particular pronouncement stating what the position is and something coming out anonymously as the statement from "the office". You sounded more as if it was the team approach rather than the anonymous office that you favour.

  Richard Thomas: It can be both. It's depends on the subject matter. Often statements or decisions are made with a named individual, myself or deputies or sometimes an Assistant Commissioner or others. On other matters the right approach is a press release or whatever to say, "This is the view of the ICO". But I would not drill down too deeply and say that there is any great difference. At the end of the day the Commissioner and carries responsibility, so we are not trying to draw any distinctions there. It is a matter of convenience; it is not a matter of principle at the end of the day. Yes, the Commissioner has the responsibility, but he or she can only work through team effort.

  Q5  Dr Whitehead: When we previously spoke about resources for the Office of the Information Commissioner you firstly reflected that, as it were, the learning process within the organisation would make better use of resources as the role developed but also with the addition of some resources to remove an early backlog, which I think you reflected perhaps related to the introduction of the Act itself, but resources would then over a considerable period of time be adequate for the work of the office. Is that still your view?

  Richard Thomas: Perhaps I can preface my remarks by painting the picture of resources. We have two quite separate revenue streams. Freedom of Information is funded by grant-in-aid from the Ministry of Justice. Data protection is now funded entirely by fees received from data controllers who notify us every year of their data processing. When I started all the notification fee income was remitted to the Ministry and then to the Treasury and we only got some of it back through grant-in-aid. I was able to change the arrangements so that we were entitled to keep the data protection money ourselves, which not least gave us a big incentive to go out and get more people notified who were not notified. Simon has some figures showing how the data protection numbers, the body of people registering, have gone up quite substantially since that happened over the last two or three years. What we cannot do by law, and I think it is probably right as a matter of policy, is cross-subsidise. We cannot subsidise freedom of information from data protection. Where we have got commercial organisations it would be wrong in principle and wrong in law for them to subsidise freedom of information, so we are dependent upon grant-in-aid. The position at the moment is that every year we have a discussion with the Ministry of Justice about the funding available for freedom of information. We were able to secure more for the current financial year, which goes through until the end of March. We currently have £5.5 million and that has enabled us to keep abreast of cases as they come in. We are now closing slightly more cases every year than we receive, which is where any complaint handling body would like to be. However, it is not as straightforward as that. Certainly we have a problem because of what I can call the backlog which built up in the first year. That first year was undoubtedly a very difficult year for all of those and created a backlog which we have not been able to eliminate. We have made inroads into it and reduced it somewhat, but it is still there. It does mean, as you will see from my paper, that the figures indicate that we close 50% of cases now inside 30 days, but, frankly, those are the more straightforward cases which we can close very easily. The majority of those cases which have to be investigated are now waiting typically six months before we can start the investigation process and I have said that that is unacceptable, that is disappointing, that is frustrating. We have made a lot of changes. We have built on the experience of team workers. We have changed the procedures. We have changed some of the structures. We are sending more of the work to Belfast and Cardiff when there is capacity to help out. We have got far more knowledge management over the internal intranet to give people lines to take, so we are getting through the cases far more. Unfortunately, the volumes go up. This year we have had a 15% increase in our projection, so, compared to the previous year, we are 15% ahead. Having said that, with that money we are still keeping abreast of cases, slightly more going out than coming in. This year we have established the good practice and enforcement team. When I came to see this Committee last time I shared with you my frustration at not being able to put out any guidance, and that was both inefficient and costly for the public sector, that they had to get advice from lawyers and others because we could not put guidance out. So within that budget we are now able to put out guidance. We have done a huge amount in the last year or so, but we still, I am afraid, do not know our budget from April 2009 onwards. We are still waiting to hear from the Ministry of Justice. I said in my paper that they have told us that despite an increase in cases we cannot expect to see a budget above £5.5 million. I think this Committee probably is aware that the MoJ does have very severe financial challenges which we are broadly aware of. We have been told that we cannot expect to get more than £5.5 million and there is still discussion going on to try and hang onto that.

  Q6  Dr Whitehead: Having said that, you have reduced your target in the 2008-09 corporate plan for cases that would be closed within the year from 80% to 70%.

  Richard Thomas: Yes. We have had, I am afraid, Dr Whitehead, to set realistic targets. We are meeting the targets. Perhaps Simon can say a bit more about how we have improved productivity over the last year but it is a lower target than the previous year; it is now 70% closed within the year.

  Q7  Dr Whitehead: The thrust of my question there though is, does that reflect cutting the cloth to the funds available and therefore producing what might be determined as a success within constrained circumstances, or is that, as you suggested, a realistic appreciation of where you will be over the next two to three years and therefore a realistic yardstick of how you might be judged?

  Richard Thomas: It is an honest and open and realistic target. We see no point in setting targets which we know we are not going to be able to deliver, so it was an adjustment of the target. We work extremely hard to achieve those targets. I have to say that I think generally freedom of information is done on quite a shoestring. £5.5 million was to employ 53 caseworkers. That is a very small number for the whole of the public sector and the teams are working extraordinarily hard. It is not cutting the cloth in the way you suggest. It is a realistic target. It is very frustrating that we do not have more staff. We do not have the ability to recruit more long term staff. The longer people stay with us the more we get better productivity. We have had new staff, we have had secondees from the Civil Service, but most new people take about six months to get up to speed by the time you have trained them and really got them into the swing of things. I am not proud of that situation but I have to be honest, and I am being honest in our annual report, in our corporate plans and with this Committee. That is the situation.

  Simon Entwisle: Perhaps it is just worth my mentioning that as we close more of our older cases that percentage will look worse when actually we are doing better. It will appear that if we close 70% of our cases in less than a year what it means is that we are closing a lot of old cases, so in fact it looks worse but we are doing better. The converse applies when you are building a backlog up. By reducing that figure it shows that we are targeting older cases. When they close or go onto our statistics they will make us look as if we have done worse, but actually we will be getting rid of our old cases. That is what that means. I hope that makes sense.

  Q8  Dr Whitehead: That is interesting, I would say, but surely under those circumstances there would then be a method of reflecting in the corporate programme precisely that distinction? I can understand the logic of that, whereby, if you are to some extent catching up from a poor position and reflecting that, because of the longevity of some cases, in your forward plan, that would be reflected in the way you describe. However, presumably in terms of your understanding of how the forward plan is progressing, you would need to distinguish between that effect and what is happening with cases that arise as the forward plan itself progresses, so as to reflect whether you really are making a difference or not.

  Simon Entwisle: And we do that in the annual report now. We also report on what happens to the cases that we have received in the year as well as what has happened to those cases that we carry forward from the year before. We did that deliberately in order to try and complete the picture for the person who is reading the report.

  Q9  Chairman: Do you think that it would be better if you were in the position that exists in Scotland where the Commissioner is wholly a creature of Parliament, that is, it is bare rations and resources come from Parliament? I am not saying that there is any guarantee that you would get more money but, from the perception point of view, for your resources to depend on the department which has to promote freedom of information throughout Whitehall and has responsibility for that but which in its own turn has a rather worrying record in its own conduct in that it fails to deal with the large majority of requests on time, there is a suggestion that the poacher can afford to underpay the gamekeeper.

  Richard Thomas: Chairman, I came to this Committee, I think, three or four years ago and made the point that I thought it would be desirable to have direct funding from Parliament. After controversies about MPs' expenses I am not so sure, but I still think in principle that that is the right approach if it could be done. I know that Kevin Dunion, the Scottish Commissioner, does receive direct funding. I think proportionally he is probably better funded than we are. We are funded by the Ministry of Justice. If I can just give some indication of comparisons, I mentioned our 53 staff. The MoJ itself has 28 staff dealing with FOI requests, just for the MoJ. It includes NOMS, the Prison Service, but they do not have to go nearly as deeply into unfamiliar territory as we have to, dealing with their own organisation. They do not have to give written decisions on the cases which have to be resolved, so I think we bear very good comparison to those sorts of figures, but it does mean that our funding comes out of the same budget. Our funding is a sub-part of the budget available to the Information Directorate of the Ministry of Justice. We have a good, constructive relationship with them. They are doing their best, I think, to give us the funding, but I think there are some perception issues, as the Chairman suggested. Within that directorate, what used to be called the Clearing House; it is now called the FOI Policy and Strategy Team. But they are giving advice on FOI across the rest of Whitehall. It is a slightly uncomfortable situation.

  Q10  Chairman: Just on the FOI legislation itself, is it operating effectively? Does it give you sufficient powers? What explains the degree of increase in the FOI cases which come to you? Is it departments being unhelpful? Is it other bodies as well? Is it greater public awareness of the availability of this remedy? Is this means of getting information relevant to their lives?

  Richard Thomas: I think it is difficult to speculate. I hope that the Committee can recognise what I said in my paper, which is that I think Freedom of Information has now become part of the fabric of public life. I think all the surveys and the other indicators are that it has really struck home with the general public, with the political world, with the media world. I think there has been an enormous amount of interest in it. I was just looking at the sorts of disclosures made in the last week or so since Christmas. We have had FOI disclosures on mixed sex hospital wards, Tony Blair's meetings, Whitehall spending on Christmas parties, speed cameras, body organs sold abroad, the sale of Sellafield, deaths from knife stabbings, police call-out to schools. You will see the sheer variety and range of subject of matter. I think it has registered with the general public. 400,000 requests we estimate have been made in the first four years. I think that is a large number by any measure for brand-new legislation. We know from our surveys that the general public are increasingly aware of the Act and are also aware of the benefits of greater openness, and I think that has all contributed to perhaps the unsurprising rise and maintaining of the volume of requests. Of course, a proportion of those requests will come to us by way of complaints. In many ways it is surprising how few complaints compared to the total number of requests come to us. It is more than 10,000 over the four years out of the 400,000 that have come to us. That means that by and large people do not need to register a complaint with us. Perhaps it goes back to the delay issue which Dr Whitehead mentioned. We are flat out, I have to say, dealing with requests, but sometimes delays are caused not just because we are waiting to allocate cases; we do hit some resistance, some recalcitrance, in public authorities. It is still quite new legislation, it is still settling down, but sometimes people are not as fast at dealing with our investigations and casework as we would like them to be. We have increasingly over the last couple of years been using our formal powers to serve an information notice on the public authority which has been reluctant to show us the disputed information, and either the threat of that or sometimes the use of that does bring the material to our eyes a bit faster.

  Q11  Chairman: Is there any pressing need to add to or modify your powers?

  Richard Thomas: I do not think so on the freedom of information side, Chairman. Perhaps we will talk about data protection somewhere else. For FOI it is still a fairly new Act of Parliament and I certainly have not been calling for any changes in the basic structure of the legislation. I am not aware of others. There is a report due out fairly soon on the so-called 30-year rule, which I think will be looked at. The Prime Minister commissioned that about a year ago. I think that is coming out fairly soon now, which is about whether government materials could be released sooner than 30 years on a proactive basis. There is also a consultation by the MoJ about extending the legislation to bodies which are not currently inside the scope of freedom of information—some of the more recent bodies or some of the utility-type bodies or contractors. Should it be extended to them? A part of the Act which we have, I think, breathed some fresh life into, which was a bit of a Cinderella, is on the so-called publication schemes. That came into force before 2005, the obligation on every public body to have a publication scheme documenting what is going to be disclosed on a routine basis. As from January phase two has come into force and we have increased the expectations of public bodies. I think it is a win-win here because public bodies increasingly are seeing that the more they can routinely disclose information and move towards more of a culture of normal openness the less they will have difficult requests because they will be on the front foot in deciding what can and should be disclosed rather than responding to requests and complaints as they come in. I have been doing a round of meetings with permanent secretaries in Whitehall, I saw one this afternoon, and I think they understand that it is an attractive way forward. We have had a very positive response to the second round, phase two, of publication schemes.

  Q12  Mr Heath: Mr Thomas, you have been critical in the past of the apparently insatiable demand from government for more and more information which they can accumulate or occasionally mislay on a larger amount of databases about more and more people. Indeed, I think I recall your comments that we were "sleepwalking into a surveillance society", which is much quoted, not least by me. I wonder if you have a view about what further safeguards are needed if we are to maintain the privacy of the individual in the face of these more complex IT "solutions" to data storage.

  Richard Thomas: Mr Heath, I understand your party has announced your chairmanship of its Privacy Commission today.

  Mr Heath: You can be sure we will be co-operating with your Commission over the coming months.

  Q13  Alun Michael: It was probably a secret though.

  Richard Thomas: We are an open and transparent organisation. Mr Clegg has announced a commission.

  Q14  Mr Heath: I sent it to the DWP and they circulated it.

  Richard Thomas: I have tried to share with the Committee my view that data protection is now taken a great deal more seriously. I had some reservations and some anxieties when I started. I thought it had become somewhat marginalised, somewhat overly legalistic and (in my phrase) almost theological. I think it had become the domain of experts and bypassed almost everybody else, so the public and the media and politicians did not really understand the fundamental importance of it. I have worked very hard with the team to put a great deal more guidance out and to use plain language in our advice. The fundamental message has been that we want to help the vast majority of organisations who want to get data protection right, but to be tougher on the minority who do not. That has been our theme, pushing that button very hard. We have raised issues along the way, particularly in relation to the large-scale collection of data by government and others. In my third week of office I was sharing a platform with David Blunkett, who was then Home Secretary, about identity cards and the debate about that was just starting. We have come a long way since then with other issues, e.g. in 2006 we hosted a major international conference, "The Surveillance Society?". We published a three-volume report. We raised some concerns. I was very pleased that we had two parliamentary committees, the Home Affairs Committee in the Commons and the House of Lords Constitution Committee. It was quite unusual to have two committees looking at the same subject at the same time, and the Lords Committee I think is due to report quite soon. I feel pleased that we have got people taking the issue seriously. There are some very deep and difficult issues but they are not black and white. You cannot say all collection of data is bad, all data protection is good. It is all about getting the right balance. We have tried to take a very responsible approach to this at the general level of anxieties about excessive surveillance. I think it has resonated, if you like, across the spectrum. At one end you have had The Guardian, at the other end the Daily Mail, both very much focused on the risks of excessive surveillance, but we are not against proper law enforcement, we are not against improving public services. We are not Luddite in this area. We want to get the balance right. Individual issues come forward—the children's database, the communications database, which the Home Office is going to be consulting on. We raised concerns about those. I do think as Commissioner, and this goes back to the general point, that you have to speak out on particular occasions but you have to choose your ground carefully. You cannot be a rent-a-quote. You cannot come out every time there is an issue and express a view. You have to have a principled approach rooted in the law and the principles of data protection and express—and I have always tried to express—a responsible line and have constructive engagement and discussion with those concerned. David can say a little bit more about what we have done on this front because I think it has changed very dramatically the attitudes towards data protection.

  David Smith: In terms of looking for safeguards, the safeguards tend to fall into three areas: legal safeguards built into the law, technical safeguards built into the systems, and procedural safeguards. On legal safeguards Richard has initiated work looking at the European directive which sits behind the UK Data Protection Act and whether that really provides a modern-day framework for protecting people's rights. The idea is simply that if you want access to your data there is a law that says you apply in writing and you wait 40 days and you send £10, whereas actually it is done online now so should that right not be modernised? That is part of it and Richard has promoted that debate. In the technical area we have done a lot of work on Privacy Impact Assessment and Privacy by Design: you can build this into systems in the first place so the systems can provide a lot of protections. On the procedural, we know about data breaches and how these reveal the absence of procedures, the lack of data protection being taken seriously, the lack of accountability, which is an area which again we have put a lot of attention on. It is within those areas that we need to focus.

  Q15  Mr Heath: Can I ask you about that last area? There has been a whole succession of breaches of data protection, sometimes quite extraordinary in their scale. Are government departments learning the lessons? Are you confident that the procedures that are now in place are better than that which was in place just a few months ago?

  David Smith: I am confident that government are doing the right things. I think the house is out on whether that will actually make a huge difference. Yes, there are unacceptable data breaches; you are absolutely right. A lot of work has been done to address changing culture, changing procedures and so on. As for whether that is entirely effective, I hesitate to say this. But ask us in a year's time and we will look and see what has happened. They are moving in the right direction.

  Richard Thomas: We did announce in, I think, November that in the previous year since the first major HMRC incident we had been notified of 277 data breaches and we published a breakdown—central government, local government, Health Service, private sector-and different types of breach. It is a large number and some are fairly minor, some are very serious. We indicated that we were investigating 30 of them because we have a system of prioritisation. We have been serving enforcement notices, for example, against HMRC and MoD. We are seeking undertakings from other bodies, so we are trying to keep them on their toes. My judgement is that, certainly with the plethora of reports and recommendations and changes coming from the centre in Whitehall, a lot of effort has gone in the last 12 months into improving practice. I think some of the reports exposed some really quite unacceptable practices before but I think things are improving. One of the concerns I want to share with the Committee is that it is not just about data security. That is perhaps the most visible and the easiest part of data protection going wrong. Data minimisation is collecting no more information than you need in the first place, not keeping it longer than you need, being aware that there are risks—mistakes, positive or negative mismatches, inaccuracies, out-of-date information. We have taken action, for example, against police forces for retaining minor conviction data, often relating to young people, far longer than we think appropriate. The tribunal upheld us on that particular approach although the police are appealing that to the Court of Appeal later this year. It is not just about security. That is the bit which I think people find easier to understand, but we have taken a risk-based approach and we think others should see that data protection really is enlightened self-interest. There are reputational risks. If you like, it is glorified risk assessment, and in the name of enlightened self-interest they should be addressing these issues and not collecting or using more information than they really need for a particular purpose.

  Q16  Mr Heath: That is very interesting. Do I hear from what you are saying then that in large databases where there is known to be a larger cost of deletion, where inevitably a breach causes more loss, more breaches of data protection rules, you believe it is intrinsic that they are more vulnerable and therefore it should be in the interests of data protection that databases should be as small, as clearly targeted and as regularly cleaned, as it were, as possible? Is that a reasonable synopsis of what you are saying?

  Richard Thomas: As a broad proposition I think you have elaborated this concept of data minimisation. Technology is immensely powerful. I think people have the technology in place without always understanding its power and its scope. It is not just "Large databases bad"; the more you collect, the greater the risk. With a well-run organisation, if it knows what it is doing and it has got the right paperwork, the right technology, the right training, the right awareness for its staff, it should not have any problems. But it does need to take this holistic approach. I have called for this to be addressed at board level. It cannot be left to the IT department or the lawyers or the compliance team. You have to look at the paperwork, the technology and the people in order to get it right. I have said that one of the challenges on data protection is this whole area of improving governance and accountability.

  Q17  Mr Heath: Can the technology safeguard match the rapidly developing technology of data accumulation and capture?

  Richard Thomas: I think probably, as David said, the jury is still a bit out on that. What is interesting is that there are a lot of technological solutions now coming on stream. We hosted a conference in Manchester and published a report in November, Privacy by Design, looking at privacy-enhancing technologies and other approaches, as David said, to minimise the risks from the outset. It is no good bolting things on. It is very expensive to bolt them on later. If you get it right at the architectural stage you have a far better chance of keeping costs down and producing the right results.

  Q18  Alun Michael: I would like to explore a little further this issue of whether we can get the right balance into play. My starting point is that I agree entirely with what you said earlier about the protection of private data and the availability of public information needing to be regulated in the same place. In terms of the public debate, it is the case, is it not, that we swing after an event like Soham to saying that everything should be stored immediately and instantly to a data loss which leads some people to say—and I would not call it a Heath doctrine—that you cannot trust government with large amounts of information? Can I ask you where you think we are on that voyage of discovery?

  Richard Thomas: I think it is a voyage and it is ongoing and will probably go on for many years to come. You are absolutely right that public opinion can swing from one extreme to the other—not enough data being collected, too much data being collected. I was responsible for the Review on Data Sharing, which was outside my official role as Commissioner, but the Prime Minister and the Justice Secretary asked me and Sir Mark Walport to do a report looking at where data is either being shared inappropriately or is not being shared where it should be shared. We took a measured approach in this report. We addressed a number of issues. We set out some criteria. Clarity of purpose and proportionality are hugely important considerations. It is difficult to generalise. You could take a hypothetical example: everybody would be outraged if congestion cameras in London were to be used to track erring husbands or wives. At the other extreme there is a protocol in place now for the Metropolitan Police to have access to those cameras under our jurisdiction where there is serious terrorist activity. One has to look at each case on its merits. It is desperately difficult to generalise.

  Q19  Alun Michael: Would you agree therefore, on this point of data sharing and data not being shared when it should be, that the tendency sometimes of legal advisers or data protection officers within organisations to say, "If in doubt do not share", is as dangerous as, "If in doubt always share", and that there is a responsibility on each occasion where there is either a request for data to be shared or the possibility of it being considered within an organisation to say that we actually have to look clinically at the balance of responsibilities?

  Richard Thomas: We have heard both sets of accusations made quite regularly. It has been said over many years that we need to review it. Legislation I think is imminent in this area. My office already has a statutory code of practice on information sharing setting out principles of Do's and Don'ts as to how you can make a measured judgement in this area. We recommended, and I am delighted that the Government has accepted, that that code should be made a statutory code. My office, if the Bill goes through, will be required to give a formal opinion on the acceptability or otherwise of a proposed data sharing initiative which will go through secondary legislation to be enacted. So I welcome the fact that we are going to have a stronger role with statutory underpinning to say what is acceptable in a particular case of data sharing and what is not acceptable.

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2009
Prepared 9 February 2009